Created
November 8, 2015 23:55
-
-
Save grokdesigns/0c38807b199fbdc780f7 to your computer and use it in GitHub Desktop.
SSL NGINX Reverse Proxy
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
auth_basic "Restricted Area"; | |
auth_basic_user_file htpasswd; |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
proxy_connect_timeout 59s; | |
proxy_send_timeout 600; | |
proxy_read_timeout 600; | |
proxy_buffer_size 64k; | |
proxy_buffers 16 32k; | |
proxy_pass_header Set-Cookie; | |
proxy_hide_header Vary; | |
proxy_busy_buffers_size 64k; | |
proxy_temp_file_write_size 64k; | |
proxy_set_header Accept-Encoding ''; | |
proxy_ignore_headers Cache-Control Expires; | |
proxy_set_header Referer $http_referer; | |
proxy_set_header Host $host; | |
proxy_set_header Cookie $http_cookie; | |
proxy_set_header X-Real-IP $remote_addr; | |
proxy_set_header X-Forwarded-Host $host; | |
proxy_set_header X-Forwarded-Server $host; | |
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; | |
proxy_set_header X-Forwarded-Port '443'; | |
proxy_set_header X-Forwarded-Ssl on; | |
proxy_set_header X-Forwarded-Proto https; | |
proxy_set_header Authorization ''; | |
proxy_redirect http://*SUBDOMAIN*/ /; | |
proxy_redirect https://*SUBDOMAIN*/ /; |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
ssl on; | |
ssl_certificate /etc/ssl/certs/*KEYNAME*.cer; | |
ssl_certificate_key /etc/ssl/private/*KEYNAME*.key; | |
# Perfect forward secrecy | |
ssl_prefer_server_ciphers on; | |
ssl_dhparam /etc/ssl/certs/dhparam.pem; | |
ssl_ciphers "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !$ | |
# HSTS | |
add_header Strict-Transport-Security "max-age=31536000; includeSubdomains"; |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
server { | |
listen 443; | |
server_name *SUBDOMAIN*; | |
access_log /var/log/nginx/*SUBDOMAIN*.access.log; | |
error_log /var/log/nginx/*SUBDOMAIN*.error.log; | |
root /usr/share/nginx/*SUBDOMAIN*; | |
index index.html index.htm; | |
include ssl.conf; | |
location / { | |
proxy_pass http://*INTERNALADDRESS*:PORT/; | |
include proxy.conf; | |
include auth-basic.conf; | |
} | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment